AI Threat Alert

CVE-2024-5452: pytorch-lightning: RCE via deepdiff Delta deserialization

GHSA-cgwc-qvrx-rf7f CRITICAL PoC AVAILABLE CISA: ATTEND
Published June 6, 2024
CISO Take

Any self-hosted pytorch-lightning application in default configuration is vulnerable to unauthenticated remote code execution — no credentials required, no user interaction needed. The delta endpoint is enabled by default, making internet-exposed ML training servers trivially exploitable by anyone with network access. Patch to lightning >= 2.3.3 immediately; if patching is blocked, restrict or disable the delta endpoint and isolate the host from untrusted networks.

What is the risk?

Extremely high risk. CVSS 9.8 with no authentication, no user interaction, and low attack complexity means any network-reachable pytorch-lightning instance is a critical exposure. EPSS of 0.567 signals ~57% probability of exploitation in the wild within 30 days — treat this as actively exploited. ML training infrastructure is often trusted-network territory with inadequate hardening, and post-exploitation access to GPU servers, model weights, training data, and cloud credentials makes these high-value targets for IP theft, lateral movement, and cryptomining.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch Lightning pip < 2.3.3 2.3.3
31.2K OpenSSF 5.9 1.6K dependents Pushed 13d ago 57% patched ~373d to patch Full package profile →
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
26.5%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 26%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade to lightning >= 2.3.3 immediately (pip install 'lightning>=2.3.3').

  2. INTERIM WORKAROUND

    If patching is blocked, disable the delta endpoint in application configuration or block it at the reverse proxy/WAF layer before the patch is applied.

  3. NETWORK ISOLATION

    Ensure pytorch-lightning applications are never exposed to untrusted networks; enforce strict firewall rules limiting access to authorized IP ranges and require VPN for all ML platform access.

  4. INVENTORY

    Audit all lightning/pytorch-lightning installations across your environment using package scanners (pip list, Safety, Trivy, Grype, Syft) — pay special attention to CI/CD systems and shared ML platforms.

  5. DETECTION

    Monitor for anomalous child process spawning from Python/lightning processes; alert on unexpected outbound connections from ML training hosts; review delta endpoint access logs for suspicious payloads.

  6. CREDENTIAL ROTATION

    If any instance may have been exposed, treat the host as compromised — rotate all credentials, API keys, and cloud IAM tokens present on the system.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security and resilience
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to identify and address risks from third-party AI software and services
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-5452?

Any self-hosted pytorch-lightning application in default configuration is vulnerable to unauthenticated remote code execution — no credentials required, no user interaction needed. The delta endpoint is enabled by default, making internet-exposed ML training servers trivially exploitable by anyone with network access. Patch to lightning >= 2.3.3 immediately; if patching is blocked, restrict or disable the delta endpoint and isolate the host from untrusted networks.

Is CVE-2024-5452 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-5452, increasing the risk of exploitation.

How to fix CVE-2024-5452?

1. PATCH: Upgrade to lightning >= 2.3.3 immediately (pip install 'lightning>=2.3.3'). 2. INTERIM WORKAROUND: If patching is blocked, disable the delta endpoint in application configuration or block it at the reverse proxy/WAF layer before the patch is applied. 3. NETWORK ISOLATION: Ensure pytorch-lightning applications are never exposed to untrusted networks; enforce strict firewall rules limiting access to authorized IP ranges and require VPN for all ML platform access. 4. INVENTORY: Audit all lightning/pytorch-lightning installations across your environment using package scanners (pip list, Safety, Trivy, Grype, Syft) — pay special attention to CI/CD systems and shared ML platforms. 5. DETECTION: Monitor for anomalous child process spawning from Python/lightning processes; alert on unexpected outbound connections from ML training hosts; review delta endpoint access logs for suspicious payloads. 6. CREDENTIAL ROTATION: If any instance may have been exposed, treat the host as compromised — rotate all credentials, API keys, and cloud IAM tokens present on the system.

What systems are affected by CVE-2024-5452?

This vulnerability affects the following AI/ML architecture patterns: ML training pipelines, model development environments, data science platforms, model serving.

What is the CVSS score for CVE-2024-5452?

CVE-2024-5452 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 26.49%.

What is the AI security impact?

Affected AI Architectures

ML training pipelinesmodel development environmentsdata science platformsmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.

Exploitation Scenario

An adversary scans for internet-exposed pytorch-lightning applications via Shodan or Censys targeting known default ports. Upon identifying a target running lightning < 2.3.3, they craft a malicious serialized deepdiff.Delta object that embeds dunder attribute modifications (e.g., __class__, __reduce__) bypassing the deserializer whitelist. The payload is submitted as a standard POST to the delta endpoint — no authentication required. When the server processes the delta, the dunder attributes pivot through Python's object model to import os or subprocess, executing an attacker-controlled command with the privileges of the lightning process. The attacker then exfiltrates model weights, training datasets, and cloud credentials from environment variables, or drops a persistent implant for ongoing access to the ML development environment. The entire chain requires no prior knowledge of the target beyond its network address.

Weaknesses (CWE)

CWE-913 Improper Control of Dynamically-Managed Code Resources Primary CWE-913 Improper Control of Dynamically-Managed Code Resources Primary CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Primary CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-913 — Improper Control of Dynamically-Managed Code Resources: The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

  • [Implementation] For any externally-influenced input, check the input against an allowlist of acceptable values.
  • [Implementation, Architecture and Design] Refactor the code so that it does not need to be dynamically managed.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 6, 2024
Last Modified
October 15, 2025
First Seen
June 6, 2024

Related Vulnerabilities

CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-48063 9.8

PyTorch: RCE via RemoteModule deserialization

Same package: torch
Back to Threat Feed